64 bit ELF with Full RELRO, stack canary, NX enabled, No PIE.
A quick run of the program:
By reversing the binary, we found that the program use a function named
getaline() to read the user input.
We can see that the
getaline() function is just like
stdio.h, so the program itself has multiple stack overflow vulnerabilities.
Although we can easily overwrite the return address, however the program has the stack smashing protector (SSP) enabled. Luckliy, the program will read the flag's content and stored it into a buffer which lies in the
.bss section before entering the main function. So, we can try to overwrite the content of
argv ( which stores a
char* pointer of the program file path ) into the flag buffer's address. Then, we smash the stack and trigger the SSP, which will then output the following error message:
Notice that the original content of
argv stores a 6 bytes memory address, while the flag's buffer address is 3 bytes (
0x6010c0). So we'll have to null out the
argv first before we change it into
0x6010c0, or else it will crash the program before it was able to output the error message.
Although the exploit works on the local machine, it failed to work on the remote side. I sent the payload for like a hundred times and it just won't give me the flag. It really frustrated me at that moment because I was so close to capture the flag and the contest is about to end in 5 minutes......
But there's nothing more I can do, so I just keep sending the same payload again and again, hoping that it will work at the end of the contest. And then, something amazing happened...
lol WTF ?
I still don't know why it will work at the very end of the contest until now ! I mean it's the same payload ! How is this even possible ? Anyway I managed to submit the flag right before the end of the contest and get the damn 300 points ... What an end @_@!